Enabling Kerberos Authentication Without the Wizard

Note that certain steps in the following procedure to configure Kerberos security may not be completed without Full Administrator role privileges.

Important: Ensure you have secured communication between the Cloudera Manager Server and Agents before you enable Kerberos on your cluster.
Kerberos keytabs are sent from the Cloudera Manager Server to the Agents, and must be encrypted to prevent potential misuse of leaked keytabs. For instructions on securing this transfer with TLS
encryption, see How to Configure TLS Encryption for Cloudera Manager.

Prerequisites - These instructions assume you know how to install and configure Kerberos, you already have a working Kerberos key
distribution center (KDC) and realm setup, and that you've installed the following Kerberos client packages on all cluster hosts and hosts that will be used to access the cluster, depending on the OS
in use.

Furthermore, Oozie and Hue require that the realm support renewable tickets. Cloudera Manager supports setting up kerberized clusters with MIT KDC and Active Directory.
Important: If you want to integrate Kerberos directly with Active Directory, ensure you have support from your AD administration team to do
so. This includes any future support required to troubleshoot issues such as Kerberos TGT/TGS ticket renewal, access to KDC logs for debugging and so on.

For more information about using Active Directory, refer the section below on Considerations when using an Active Directory KDC and
the Microsoft AD documentation.